Re: Missing GnuPG signatures for checksums
Hi Steve and Julien, On 4/20/20 6:45 PM, Steve McIntyre wrote: There are checksums for these in the archive (dists/buster/main/installer-amd64/current/images/SHA256SUMS etc.) and those files are themselves checksummed in the top-level buster Release file, and that's signed by Release.gpg (or via InRelease if you prefer that route). Yes, it's not very obvious... Many thanks, I got it now! Steve, also many thanks for the automatically generated reference for all preseed options, I found apt-setup/disable-cdrom-entries there, very nice to have everything in one place, most of them aren't documented anywhere else.[1] Best regards, Laurentiu [1] https://jack.einval.com/debian-preseed/
Re: Missing GnuPG signatures for checksums
Hi Laurențiu On Mon, Apr 20, 2020 at 06:38:48PM +0200, Laurențiu Păncescu wrote: >Hello, > >I'm trying to put a preseed file on the same USB stick as the installation, >using hd-media/boot.img.gz is easier than remastering the iso. It works, but >there seems not to be any signed checksum file for these images and they are >served only over http: > >http://http.us.debian.org/debian/dists/buster/main/installer-amd64/current/images/ > >How can I check if these images are authentic? I guess I could mount a signed >CD iso like netinst, copy vmlinuz and initrd from there and create my own USB >stick with syslinux - is there a better way? There are checksums for these in the archive (dists/buster/main/installer-amd64/current/images/SHA256SUMS etc.) and those files are themselves checksummed in the top-level buster Release file, and that's signed by Release.gpg (or via InRelease if you prefer that route). Yes, it's not very obvious... -- Steve McIntyre, Cambridge, UK.st...@einval.com "I used to be the first kid on the block wanting a cranial implant, now I want to be the first with a cranial firewall. " -- Charlie Stross
Re: Missing GnuPG signatures for checksums
On Mon, Apr 20, 2020 at 06:38:48PM +0200, Laurențiu Păncescu wrote: > Hello, > > I'm trying to put a preseed file on the same USB stick as the installation, > using hd-media/boot.img.gz is easier than remastering the iso. It works, but > there seems not to be any signed checksum file for these images and they are > served only over http: > > http://http.us.debian.org/debian/dists/buster/main/installer-amd64/current/images/ > > How can I check if these images are authentic? I guess I could mount a > signed CD iso like netinst, copy vmlinuz and initrd from there and create my > own USB stick with syslinux - is there a better way? > Hi, http://http.us.debian.org/debian/dists/buster/InRelease is signed and contains checksums for the d-i SHA256SUMS file. (I realize that still makes verification awkward.) Cheers, Julien
Missing GnuPG signatures for checksums
Hello, I'm trying to put a preseed file on the same USB stick as the installation, using hd-media/boot.img.gz is easier than remastering the iso. It works, but there seems not to be any signed checksum file for these images and they are served only over http: http://http.us.debian.org/debian/dists/buster/main/installer-amd64/current/images/ How can I check if these images are authentic? I guess I could mount a signed CD iso like netinst, copy vmlinuz and initrd from there and create my own USB stick with syslinux - is there a better way? Thanks in advance, Laurențiu